Detecting evasion attacks at high speeds without reassembly

Varghese, George; Fingerhut, J. Andrew; Bonomi, Flavio

doi:10.1145/1151659.1159951

Cited by 22 publications

(33 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…See, eg, traffic normalization, 28-30 traffic signatures, 31,32 joint work with the target server, 33 and target system emulator. See, eg, traffic normalization, 28-30 traffic signatures, 31,32 joint work with the target server, 33 and target system emulator.…”

Section: Evasion Techniquesmentioning

confidence: 99%

See 1 more Smart Citation

Evaluating intrusion prevention systems with evasions

Särelä

Kyöstilä

Kiravuo

et al. 2017

Int J Communication

View full text Add to dashboard Cite

Intrusion prevention systems have become a common security measure in the past 20 years. Their promise is the possibility to prevent known attacks against vulnerable, unpatched devices inside enterprise networks. However, evasion techniques that enable the attacker to evade the eye of the intrusion prevention system are a potential problem for this capability. These techniques take advantage of the robustness principle that has guided designers to create systems that will try to recreate protocol content from any input they receive.In this work, we evaluated the effectiveness of 35 well-known evasions against 9 commercial and 1 free, state-of-the-art, intrusion prevention systems. We conducted 4 experiments with one million attacks against each device. Each system lets a significant amount (0.1%-45%) of attacks pass through unrecognized. Our results show that most existing intrusion prevention systems are vulnerable against evasions.

show abstract

Section: Evasion Techniquesmentioning

confidence: 99%

“…We deduct 32 which may have caused reassembly to been overlooked in some products. The results of this study indicate that these may have not been properly implemented in some of the tested IPS.…”

Section: Performance Of Intrusion Preventionmentioning

confidence: 99%

Evaluating intrusion prevention systems with evasions

Särelä

Kyöstilä

Kiravuo

et al. 2017

Int J Communication

View full text Add to dashboard Cite

show abstract

“…Scap shares similar goals with Libnids and Stream5. However, previous works treat TCP stream reassembly as a necessity [50], mostly for the avoidance of evasion attacks against intrusion detection systems [14,19,51]. On the contrary, Scap views transport-layer streams as the fundamental abstraction that is exported to network monitoring applications, and as the right vehicle to implement aggressive optimizations.…”

Section: Tcp Stream Reassemblymentioning

confidence: 99%

“…Although previous work treats TCP stream reassembly as a necessary evil [50], used mostly to avoid evasion attacks against intrusion detection and other monitoring systems, we view streams as the fundamental abstraction that should be exported to network monitoring applications, and as the right vehicle for the monitoring system to implement aggressive optimizations all the way down to the operating system kernel and network interface card.…”

Section: Introductionmentioning

confidence: 99%

Scap

Papadogiannakis

Polychronakis

Markatos

2013

Proceedings of the 2013 Conference on Internet Measurement Conference

View full text Add to dashboard Cite

Many network monitoring applications must analyze traffic beyond the network layer to allow for connection-oriented analysis, and achieve resilience to evasion attempts based on TCP segmentation. However, existing network traffic capture frameworks provide applications with just raw packets, and leave complex operations like flow tracking and TCP stream reassembly to application developers. This gap leads to increased application complexity, longer development time, and most importantly, reduced performance due to excessive data copies between the packet capture subsystem and the stream processing module.This paper presents the Stream capture library (Scap), a network monitoring framework built from the ground up for stream-oriented traffic processing. Based on a kernel module that directly handles flow tracking and TCP stream reassembly, Scap delivers to userlevel applications flow-level statistics and reassembled streams by minimizing data movement operations and discarding uninteresting traffic at early stages, while it inherently supports parallel processing on multi-core architectures, and uses advanced capabilities of modern network cards. Our experimental evaluation shows that Scap can capture all streams for traffic rates two times higher than other stream reassembly libraries, and can process more than five times higher traffic loads when eight cores are used for parallel stream processing in a pattern matching application.

show abstract

“…Caswell and Moore [8] summarized at the time known evasion techniques and introduced some new evasions regarding SMB and MSRPC protocols. Examples of more scientific works to solve the evasion problem include a Sigcomm 2006 paper by Varghese et al [9], and the work by Watson et al [10]. ACM CCS has had many papers in the past on the topic, e.g., Shunting [11].…”

Section: Evasion Research Thus Farmentioning

confidence: 99%